HTTP::Tiny v0.082, is a http client included in Perl (since v5.13.9) and also a standalone CPAN module. It does not verify TLS certificates by default requiring users to opt-in with the verify_SSL=>1 flag to verify the identity of the HTTPS server they are communicating with. https://www.openwall.com/lists/oss-security/2023/04/18/14 https://github.com/chansen/p5-http-tiny/issues/134 https://github.com/chansen/p5-http-tiny/pull/153 https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ https://hackeriet.github.io/cpan-http-tiny-overview/ https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/ https://github.com/advisories/GHSA-g56r-phrf-6pc4
Created perl-HTTP-Tiny tracking bugs for this issue: Affects: fedora-all [bug 2228395] Created perl:5.32/perl-HTTP-Tiny tracking bugs for this issue: Affects: fedora-all [bug 2228396] Created perl:5.34/perl-HTTP-Tiny tracking bugs for this issue: Affects: fedora-all [bug 2228397] Created perl:5.36/perl-HTTP-Tiny tracking bugs for this issue: Affects: fedora-all [bug 2228398]